1. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 5 – ‘Cisco Device Hardening’

5. IDS = Intrution Detection System IPS = Intrution Protection System HIPS = Host Intrution Protection System

7. Encryption / Access control configuration / Den nye opdateret version hedder: RFC 3704 filtering

9. Worm Attack, Mitigation and Response  The anatomy of a worm attack has three parts: The enabling vulnerability: A worm installs itself on a vulnerable system Propagation mechanism: After gaining access to devices, a worm replicates and selects new targets Payload: Once the worm infects the device, the attacker has access to the host – often as a privileged user. Attackers use a local exploit to escalate their privilege level to administrator.

10. Worm attack mitigation  Worm attack mitigation requires diligence on the part of system and network administration staff.  Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident.  Recommended steps for worm attack mitigation: Containment: Contain the spread of the worm into your network and within your network. Compartmentalise uninfected parts of your network. Inoculation: Start patching all systems and, if possible, scanning for vulnerable systems. Quarantine: Track down each infected machine inside your network. Disconnect, remove, or block infected machines from the network. Treatment: Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.

11. SNMP v3 er krypteret og sikker.

12. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 12 Disabling Unused Cisco Router Network Services and Interfaces

13. Unnecessary Services and Interfaces Router ServiceDefaultBest Practice BOOTP server EnabledDisable Cisco Discovery Protocol (CDP) EnabledDisable if not required Configuration auto-loading DisabledDisable if not required FTP server Disabled Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. TFTP server Disabled Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Network Time Protocol (NTP) service Disabled Disable if not required. Otherwise configure NTPv3 and control access between permitted devices using ACLs. Packet assembler and disassembler (PAD) service EnabledDisable if not required TCP and UDP minor services Enabled (pre 11.3) Disabled (11.3+) Disable if not required Maintenance Operation Protocol (MOP) service EnabledDisable explicitly if not required

14. Commonly Configured Management Services Management Service Enabled by Default Best Practice Simple Network Management Protocol (SNMP) Enabled Disable the service. Otherwise configure SNMPv3. HTTP configuration and monitoring Device dependent Disable if not required. Otherwise restrict access using ACLs. Domain Name System (DNS) Client Service – Enabled Disable if not required. Otherwise explicitly configure the DNS server address.

15. Path Integrity Mechanisms Path Integrity Mechanism Enabled by Default Best Practice ICMP redirects EnabledDisable the service IP source routing EnabledDisable if not required.

16. Probe and Scan Features Probe and Scan Feature Enabled by Default Best Practice Finger service EnabledDisable if not required. ICMP unreachable notifications Enabled Disable explicitly on untrusted interfaces. ICMP mask reply Disabled Disable explicitly on untrusted interfaces.

17. Terminal Access Security Enabled by Default Best Practice IP identification service EnabledDisable TCP Keepalives DisabledEnable

18. ARP Service Enabled by Default Best Practice Gratuitous ARP EnabledDisable if not required. Proxy ARP EnabledDisable if not required.

19. AutoSecure Functions  AutoSecure can selectively lock down: Management plane services and functions: Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewall services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services Syntax: Router#Auto Secure ? Forwarding Secure Forwarding Plane Management Secure Management Plane No-interact Non-Interactive session of AutoSecure

20. SSH-Configuration Router(Config)#ip domain-name [Domæne navn] Router(Config)#crypto key genereate rsa ? General-keys Generate a general purpose RSA key pair for signing and encryption Usage-keys Generate seperate RSA key pairs for signing and encryption Router(Config)# crypto key genereate rsa general-keys modulus [modulus = nøgle størrelse i bit (360-2048)] Nøgler over 512 bit anbefales, normalt bruges 1024 bit.

21. AutoSecure Failure Rollback Feature  If AutoSecure fails to complete its operation, the running configuration may be corrupt: In Cisco IOS Release 12.3(8)T and later releases: Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg Rollback reverts the router to the router’s pre-autosecure configuration Command: configure replace flash:pre_autosec.cfg If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.

22. Locking Down Routers with Cisco SDM  SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI  SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software  SDM contains a Security Audit wizard that performs a comprehensive router security audit  SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings  The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies  SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature

23. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 23 Securing Cisco Router Administrative Access

24. Setting a Login Failure Blocking Period router(config)# login block-for seconds attempts tries within seconds Blocks access for a quiet period after a configurable number of failed login attempts within a specified period Must be entered before any other login command Mitigates DoS and break-in attacks Perth(config)#login block-for 100 attempts 2 within 100

25. Excluding Addresses from Login Blocking router(config)# login quiet-mode access-class {acl-name | acl-number} Specifies an ACL that is applied to the router when it switches to the quiet mode If not configured, all login requests will be denied during the quiet mode Excludes IP addresses from failure counting for login block-for command Perth(config)#login quiet-mode access-class myacl

26. Setting a Login Delay router(config)# login delay seconds Configures a delay between successive login attempts Helps mitigate dictionary attacks If not set, a default delay of one second is enforced after the login block-for command is configured Perth(config)#login delay 30

27. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 27 Configuring Role- Based CLI

28. Role-Based CLI Overview  Root view is the highest administrative view  Creating and modifying a view or ‘superview’ is possible only from root view  The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews  CLI views require AAA new-model: This is necessary even with local view authentication View authentication can be offloaded to an AAA server using the new attribute "cli-view-name"  A maximum of 15 CLI views can exist in addition to the root view

29. Getting Started with Role-Based CLI router# enable [privilege-level] [view [view-name]] Enter a privilege level or a CLI view. Use enable command with the view parameter to enter the root view. Root view requires privilege Level 15 authentication. The aaa-new model must be enabled. Perth(config)#aaa new-model Perth(config)#exit Perth#enable view Password: Perth# %PARSER-6-VIEW_SWITCH: successfully set to view 'root'

30. Configuring CLI Views router(config)# Creates a view and enters view configuration mode Perth(config)#parser view monitor_view Perth(config-view)#password 5 hErMeNe%GiLdE! Perth(config-view)#commands exec include show version parser view view-name router(config-view)# password 5 encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] Sets a password to protect access to the view Adds commands or interfaces to a view

31. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 31 Mitigating Threats and Attacks with Access Lists

32. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 32 Configuring SNMP

33. SNMPv1 and SNMPv2 Architecture SNMP asks agents embedded in network devices for information or tells the agents to do something.

34. Community Strings  In effect, having read-write access is equivalent to having the enable password!  SNMP agents accept commands and requests only from SNMP systems that use the correct community string.  By default, most SNMP systems use a community string of “public”  If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB  Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created !

35. SNMPv3 Features and Benefits Features–Message integrity: Ensures that a packet has not been tampered with in transit –Authentication: Determines that the message is from a valid source –Encryption: Scrambles the contents of a packet to prevent the packet from being seen by an unauthorised source Benefits–Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted –Confidential information, such as SNMP Set command packets that change a router configuration, can be encrypted to prevent the contents from being exposed on the network It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

36. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 36 Configuring NTP on Cisco Routers

37. NTP-Authentication

38. NTP-Server

39. NTP-Associations

40. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L1 40 Configuring AAA on Cisco Routers

41. The Three Components of AAA  Authentication Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption  Authorisation Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet  Accounting Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

42. AAA Protocols: RADIUS and TACACS+

43. AAA-Server Configuration

44. AAA-Authentication Configurations CLI

45. AAA-Authorization Configuration

47. AAA-Accounting Configuration